Link to home
Create AccountLog in
Avatar of LayneIT
LayneITFlag for United States of America

asked on

How can I force a remote office NOT on my domain to use a specific domain controller (or site) when authenticating to said domain?

A quick rundown of our environment first...

I work at the corporate office of a medium sized international corporation.  We have roughly 50 remote offices that all have permanent VPN tunnels to corporate... a big star if you will.  15 of those offices have a domain controller and their workstations are members of the corporate 2003 domain and so we have 16 sites total.  The others either have workgroups or have their own untrusted domain.  Typically remote offices CANNOT route to one another but can only get to the corporate 'hub'.

The Problem: One of these offices that has their own domain (untrusted) needs to access corporate resources which require authentication to the corporate domain.  They have a secondary DNS zone for the corporate domain so they can ping corporate resources by name.  The problem is that in my experience when you ping a fully qualified domain name you can get a response from any DC in your site.  If you are like this remote office and outside the domain and therefor not in a site... you can get a response from ANY domain controller in the entire forest.  Well they only have network access to those DCs located at the corporate office but often when they try to ping or authenticate to our domain, they are asking domain controllers at other remote offices and therefor get no response.  Is it possible to force a remote office when pinging or authenticating to the corporate domain to ONLY ask domain controllers in the corporate site? Or even just one specific domain controller at corporate?

I imagine if this could be done it would have to be done in DNS but I cannot figure out how it is possible.

Thanks in advance for any help!!

-Mike
Avatar of Bradley Fox
Bradley Fox
Flag of United States of America image

When they access a system that is not part of their domain the client does not do the authentication; all authentication requests to the domain controller are done by the target system.  Where are the target servers these clients are trying to access located?  If they are at the "hub" of your network you are having a different problem.  If they are located at the site then this could be an issue

http://msdn.microsoft.com/en-us/library/aa378749(VS.85).aspx

You should setup site links in active directory.  This is how AD knows who can talk to who and how fast the link is between sites.  In your scenario DO NOT create a site link bridge as all the subnets cannot talk to each other.  Make sure only sites that can talk to each other are members of each site link.

This is often an issue in star network designs as when you create a site in AD it forces you to add it to a site link.  Since you don't usually have all your site links setup when creating sites everything gets added to the default site link which makes AD think everyone can talk to each other.
My end-user experience shows that domain of last logged in admin is kept, and my IT experience tells should be in HKLM registry.
Happy googling...
Oh, BTW you should also create a site, subnet, and site link in AD Sites and Services for every site that has to authenticate to domain resources even if there is no domain controller at the site.
Avatar of LayneIT

ASKER

Thanks that put me on the right track.  We do have the sites set up correctly but the problem is I think something in the application.  I was assuming the remote application needed to be able to access active directory directly but really it is only trying to access a SQL server in the corporate site and then THAT server does the communicating with active directory.

That is correct - Glad I could help get you on the right track.
ASKER CERTIFIED SOLUTION
Avatar of LayneIT
LayneIT
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of LayneIT

ASKER

no additional comment